htlcswitch: add InitAttempt for idempotent external dispatch

[calvinrzachman]

Background

As part of a larger effort to support offloading path-finding and payment life-cycle management to an external entity, we are introducing a new switchrpc gRPC sub-server #9489. This will allow a remotely instantiated ChannelRouter or other RPC client to orchestrate payments across a set of remote lnd instances.

To safely support this, we need to prevent duplicate payment attempts and resulting unintentional loss of funds when using the forthcoming switchrpc server and SendOnion RPC. The two primary categories of duplicate payment risk are:

1. Server-Side Logic Failure: The htlcswitch fails to enforce "at-most-once" dispatch for a given attemptID.
2. Client-Side Logic Failure: The ChannelRouter or RPC client misinterprets an ambiguous error, incorrectly assumes an attempt has failed, and launches a new, duplicative attempt via another attempt ID.

Communication over a network is unreliable; a remote client can time out and lack certainty on whether its request was processed, lost, or whether the server's acknowledgement of the request was lost. To navigate this, a remote client will need to employ principles of reliable communication in the form of: client supplied request IDs, retries, acknowledgements, idempotent APIs and sound error handling.

Change Description

This PR is a first foundational step. It does not introduce the RPC itself, but instead adds the underlying storage mechanism that makes idempotence possible. We introduce a new AttemptStore interface and expand its kvdb-backed implementation, the networkResultStore, to include two new methods. This allows us to durably persist a record of intent to dispatch an HTLC prior to that HTLC being forwarded.

The core primitives this new store provides are:

1. s.attemptStore.InitAttempt(attemptID): This serves as a "durable write of intent" or "write-ahead log," checkpointing the existence of an attempt prior to dispatch. It creates a record in a new PENDING state, guaranteeing that any subsequent call for the same ID will be rejected as a duplicate.
2. s.attemptStore.FailPendingAttempt(attemptID): This provides a mechanism to transition an initialized attempt to a terminally failed state. This prevents accrual of initialized attempts which are not actually dispatched. Such orphaned PENDING attempts would otherwise cause GetAttemptResult subscribers to hang waiting on a result which will never arrive.

NOTE: An effort is made in this branch to "preserve the core" htlc dispatch logic. To minimize the risk of regressions for existing lnd users, this work will leave the critical-path logic of htlcswitch.SendHTLC and the routing.paymentLifecycle completely untouched. All new logic will be implemented at the switchrpc boundary. It also appears possible to achieve our goal without modifying the on-disk structure of the networkResult type. The idea is to overload the use of the lnwire.Msg field to encode a third state besides Settle/Fail—namely, PENDING.

With the introduction of the PENDING state, we update the primary user of the attempt store, GetAttemptResult. Previously, a tracking request that raced ahead of a full HTLC dispatch could receive a misleading ErrPaymentIDNotFound. Now, when GetAttemptResult encounters an attempt in the PENDING state, the store returns htlcswitch.ErrAttemptResultPending. This signal is used to correctly subscribe to the future outcome rather than returning an error, ensuring the tracker safely waits for the definitive result. This makes the entire tracking lifecycle robust against dispatch request race conditions which external routers may otherwise encounter.

Future Work

• Introduce the new switchrpc sub-server with a SendOnion RPC that uses the AttemptStore to provide an idempotent API.

Steps to Test

• All htlcswitch and routing unit tests pass.
• New unit tests for the networkResultStore have been added to verify the InitAttempt, FailPendingAttempt, and cleanupOrphanedAttempts logic.

[gemini-code-assist]

Summary of Changes

Hello @calvinrzachman, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the reliability of HTLC payments by preventing duplicate attempts, particularly in scenarios involving remote clients and the switchrpc sub-server. It introduces an AttemptStore interface and modifies the SendHTLC method to ensure that only one HTLC is forwarded for a given attempt ID. The changes include persisting the intent to dispatch an HTLC before sending it to the network and introducing a PendingNetworkResult message type.

Highlights

• Duplicate Payment Prevention: This PR introduces a mechanism to prevent duplicate payment attempts when using the switchrpc gRPC sub-server and SendOnion/TrackOnion RPCs. It addresses potential fund losses due to unintentional retries.
• Attempt Store Interface: An AttemptStore interface is defined to manage HTLC payment attempt results, supporting both local and remote lifecycle controllers.
• Durable Persistence of Intent: The Switch now durably persists the intent to dispatch an HTLC before sending it, adding a checkpoint to prevent duplicates. This involves writing to disk prior to sending the HTLC.
• SendHTLC() Modification: The SendHTLC() method is updated to be safe for multiple calls with the same attempt ID. The Switch's networkResultStore is modified to enable this.
• InitAttempt Method: A new InitAttempt(attemptID) method is added to the AttemptStore interface. This method updates the attempt result store to durably mark the existence of an attempt before sending it to the network.
• Pending Network Result: Introduces a PendingNetworkResult message type to mark an attempt as initiated but not yet settled/failed.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

An excellent pull request that introduces a robust mechanism to prevent duplicate HTLC dispatches. The approach of using a placeholder in the networkResultStore to mark an attempt as "in-flight" is a clever way to achieve this without significant changes to the on-disk format.

My review has identified one critical issue in the implementation of the duplicate check. Addressing this point will help ensure the stability and correctness of this important feature.

[bitromortac]

Thank you for exploring this @calvinrzachman! The direction looks good.

I think something is still missing, answering the question: who deletes results and when (including how long would we like duplicate protection to last)? At the moment it is not safe to restart the client or server if we want to allow simultaneous use of SendOnion (external) and SendPaymentV2 (internal), because there are two routers that call CleanStore at restart. So for example, a restart of the server would delete all the in-flight attempts initiated by another client. A minimally working version of this would require a flag to turn off the server's router to prevent its calls to CleanStore, right?

To solve this we probably need to extend the switch rpc to also implement NextID

lnd/server.go

Line 1163 in fb68f36

NextPaymentID: sequencer.NextID,

such that the client (payment service or internal router) can request a new attempt id. This shifts some burden of internal bookkeeping to the client because it won't receive unique attempt ids across servers (so it needs to perhaps prefix the returned attempt id with a server id in its internal implementation of NextID such that the client's control tower has unique attempt ids).

In order to solve the multi client CleanStore problem, we would need to extend the switchrpc.SendOnion/TrackOnion call with a client id (you mentioned this idea elsewhere). This way we can set the first byte of the attempt id used as a key for the server's network results store as the client id, to avoid initial database changes (we could later extend the key and really prefix the client id to have a larger space and to enable more clients) and leave the attempt id used in the switch untouched (no prefixing). That way we can have CleanStore(clientID, keepIDs) to only clean up the results concerned with the client. Those are just some initial thoughts and they probably require a second thorough analysis, but hopefully gives some more directions.

[calvinrzachman]

@bitromortac yes, we can certainly expand our switchrpc server to support some method of attempt information cleanup.

Two potential behaviors for deletion I have considered thus far are:

1. CleanStore(keepSet []ID): deletes everything except that which it's told to keep.
2. DeleteAttempts(deleteSet []ID): deletes only what is explicitly specified to delete.

There are some differences to the two approaches, but for now we have an implementation of a CleanStore RPC which follows the approach lnd has taken historically for deletion from the Switch's attempt store here: calvinrzachman#19

You're quite right that it is not safe to have multiple HTLC dispatching entities independently calling CleanStore without coordination. The CleanStore approach to deletion requires ID space separation. It cannot work with multiple clients sharing the same flat attempt ID space. There needs to be an identity-aware mapping of attempt IDs - the Switch must know:

• Which client (or namespace) "owns" each attempt ID.
• Therefore, it can safely say: “delete all of my IDs except the ones I still care about.”

Though I don't have this entirely flushed out, I think it might be possible for multiple routers to share an ID space if:

1. The Switch RPC server centrally hands out attempt IDs for all router clients via a NextAttemptID endpoint.
2. The routers use a DeleteAttempts based approach to deletion.

A minimally working version of this would require a flag to turn off the server's router to prevent its calls to CleanStore, right?

Yes, exactly! We can disable lnd's typical cleanup behavior which occurs on Router startup via routing/htlcswitch configuration or by entirely disabling the routerrpc and the on-board ChannelRouter all together via something like this: #10110 or this #10178.

[bitromortac]

I noticed that CleanStore doesn't use the mutexes, probably because of the assumption that it's only called at startup. I'm not sure if we should add them and cancel any subscriptions. We want to have continuous maintenance of result clean up in the future, so maybe it's worth to at least add a comment?

[calvinrzachman]

Yeah, that sounds like a good explanation for why it might not have originally been included. I can make a comment. We could update CleanStore to use the mutexes when we add the switchrpc.CleanStore method in a future PR as then it would be subject to being called concurrently with other operations of the result store?

[bitromortac]

Are you saying we should add it (the attemptIDMtx)?

[calvinrzachman]

Upon looking a little closer. I think we only need to use the mutex when modifying the database or the subscribers map.

// We get a mutex for this attempt ID. This is needed to ensure
// consistency between the database state and the subscribers in case
// of concurrent calls.

I think your point about CleanStore is the true place where the mutex will eventually be necessary.

[lightninglabs-deploy]

@ellemouton: review reminder
@calvinrzachman, remember to re-request review from reviewers when ready

[ziggie1984]

I think it would be nice to mention what SendHTLC is currently only safe to run and be called from one Router and more that that (attemptID collision)

[ziggie1984]

Almost, two final comments left:

1. please remove the pendingMsg check in the new subscribenotifier function in the resultstore
2. please make sure you add the unit-tests in a separate PR regarding the Duplicate Drops/Deletes I mentioned above.

[bitromortac]

Looks close, we need to check that errors originating from InitAttempt are handled correctly (see comment).

[bitromortac]

We could make it more self-documenting by calling it FailPendingAttempt.

[bitromortac]

I think we need to wrap this error with ErrAmbiguousInitCheck (or similar), to be able to handle this with retries in the (external) router. Otherwise we would fail the attempt in the tower db when getting a result db error, but could still have an inflight HTLC, to lead to a duplicate send? We probably just need to wrap the database error within InitAttempts read operation.

[calvinrzachman]

Nice catch 🎉 We have considered many an edge case, but I neglected to consider this last case where the durable write of intent to dispatch, which offers the duplicate protection, itself fails due to serialization or DB error.

Updated to include a new error to mark this scenario. Left as a separate commit for now. If you think it looks fine, then I'll squash into the existing commits before merge.

[bitromortac]

I think we can leave the separate commits to explicitly document the new error handling, just place those commits after the idempotency commit.

[bitromortac]

Ok, I agree with the strategy of exporting DispatchHTLC, using it in SendOnion.

[calvinrzachman]

@ziggie1984 I updated the error name to ErrAttemptResultPending as requested and removed the pending check from the notifySubscribers helper. You're right that we keep the function "pure" notification only and simply just not call this method when it is not appropriate to do so.

We do have unit tests for the CircuitMap which verify the duplicate drops/deletes so we're not completely in uncharted waters, but I can put up a draft branch which adds a test to switch_test.go for this scenario you highlight.

[bitromortac]

Great work @calvinrzachman, I didn't find any more edge cases. It could make sense to split one commit and I have a few other small remarks and questions.

[bitromortac]

We should split this commit up as it contains many changes (can see it from the bullet points in the commit message as well). You separated the tests, which shows you how you could have split this commit into smaller pieces, the first one that touches methods from InitAttempt duplicate prevention and a second one that calls the other methods in TestNetworkResultStoreFailAndFetch.

[calvinrzachman]

Split up the commit! Let me know if it looks better.

[bitromortac]

We should also mention that this must always be the first call in this method to not break idempotency (no calls that can return before this).

[calvinrzachman]

added in mention of this. let me know if you like it.

[calvinrzachman]

Though we have opted to keep SendHTLC flow unchanged, I will update the SendOnion implementation to include a note in this same spirit 👀

[bitromortac]

we should also document that after a call to switch.CleanStore it's possible to send the attempt like in the attempt store tests

[calvinrzachman]

Added that same verification here that the duplicate prevention is lifted after the CleanStore removes the attempt.

[calvinrzachman]

Though we have opted to keep SendHTLC flow unchanged, I will include this verification that the ID is freed for re-use in an analogous test with SendOnion and CleanStore when we expand switchrpc to contain a CleanStore (deletion) endpoint.

[bitromortac]

We should add here that callers make sure to not collide with their attempt ids, that they must be unique.

[calvinrzachman]

updated ✅

[calvinrzachman]

Though we have opted to keep SendHTLC flow unchanged, I will update the SendOnion implementation to include a note in this same spirit 👀

[bitromortac]

Let's do the rename unless y'all oppose it, I think it makes the usage clearer.

[bitromortac]

I think we can leave the separate commits to explicitly document the new error handling, just place those commits after the idempotency commit.

[bitromortac]

LGTM 🎉🎉

[bitromortac]

you need to include a link to the PR such that CI can pass, see the other items

[calvinrzachman]

updated to include the PR link 🔗

[bitromortac]

I'm not sure this is relevant here, I'd remove it. If there was no pending result in the result store, the cleanup routine won't unblock

[calvinrzachman]

removed.

[ziggie1984]

LGTM 🎉, great work. Guess we thought of all edge cases.

[ziggie1984]

I don't think we need to guard against this, only msg of a certain type make it to the result store, so I think we are fine.